OpenClaw Path Traversal Vulnerability Allowing Arbitrary File Read from Other Agents' Workspaces

A path traversal vulnerability has been identified in OpenClaw versions prior to 2026.3.24. This vulnerability exists in the sandbox enforcement mechanism, allowing sandboxed agents to read arbitrary files from the workspaces of other agents. The issue arises from unnormalized 'mediaUrl' and 'fileUrl' parameter keys, which bypass proper validation and normalization processes. As a result, sensitive files such as API keys and configuration data can be accessed from outside the designated sandbox roots.

Impact

Exploitation of this vulnerability leads to unauthorized access to files in other agents' workspaces, including sensitive information like API keys, session data, conversation logs, and configuration files with credentials. This vulnerability undermines the intended isolation provided by the multi-agent sandbox feature.

Reproduction

To reproduce this vulnerability, a sandboxed agent can be manipulated to call a message tool with an unnormalized 'mediaUrl' or 'fileUrl' parameter that points to a file in another agent's workspace. The 'normalizeSandboxMediaParams' function will not validate these keys, allowing the 'handlePluginAction' function to dispatch the action without the necessary sandbox restrictions. The default media local roots will then permit access to the targeted file, effectively bypassing the sandbox enforcement.

Remediation

Users are advised to update OpenClaw to version 2026.3.24 or later, where this vulnerability has been patched.